The present invention relates to computer networks, and more particularly, to devices and methods for updating configuration database information of remote private networks across the Internet.
The growth and proliferation of computers and computer networks allow businesses to efficiently communicate with their own components as well as with their business partners, customers, and suppliers. However, the flexibility and efficiencies provided by such computers and computer networks come with increasing risks, including security breaches from outside the corporation, accidental release of vital information from within it, and inappropriate use of the LAN, WAN, Internet, or extranet.
In managing the growth of computer networks as well as addressing the various security issues, network managers often turn to network policy management services such as firewall protection, Network Address Translation, spam email filtering, DNS caching, Web caching, virtual private network (VPN) organization and security, and URL blocking for keeping network users from accessing certain Web sites through use of the organization""s ISP. Each policy management service, however, generally requires a separate device that needs to be configured, managed, and monitored. Furthermore, as an organization grows and spreads across multiple locations, the devices maintained also multiplies, multiplying the associated expenditures and efforts to configure, manage, and monitor the devices.
The solution to this problem is not as simple as just integrating multiple network policy management functions into a single device at each location and allowing each location to share its policy information with other locations. In fact, there are many obstacles and challenges in adopting such an approach. One of these challenges is devising a scheme for specifying, distributing, and updating policy management information effectively across the entire organization. The challenges increase if a directory service protocol such as a Lightweight Directory Access Protocol (LDAP) directory is used to store the policy management information. LDAP database management typically suffers from a lack of flexibility that becomes increasingly relevant as the size of the database increases. These problems generally become more severe in a network with multiple databases that must be synchronized together with multiple applications that require updates to only selected portions of a larger database. For example, conventional approaches to LDAP database management such as SLURPD (stand-alone LDAP update replication daemon) require updates of the entire database and do not include application-specific notification.
Accordingly, there remains a need in the art for a method for efficiently synchronizing multiple LDAP databases storing configuration information including policy management information.
The present invention is directed to a unified policy management system where various policies, namely, the set of rules and instructions that determine the network""s operation, may be established and enforced from a single site. According to one embodiment of the invention, a central policy server maintains a central database storing configuration information for a plurality of edge devices in an organization. Relevant portions of the configuration information are transferred to subordinate databases associated with each of the edge devices. Each edge device may then manage policies for a network in the organization according to the configuration information in its database.
Any changes to the configuration information are made by the central policy server in the central database. The central policy server further creates a log of the changes, stores the log in the central database, and transfers the changes to the affected edge devices for updating their databases.
In one particular aspect of the invention, the central policy server maintains user logs and device logs for the changes. User logs associate the configuration changes to particular users making the changes (e.g. particular network administrators). Policy logs associate the configuration changes to particular edge devices affected by the changes. In creating the policy logs, the changes in the user logs are collected and filtered for each affected edge device and stored in the policy logs associated with the edge device for a later transfer to the edge device.
In another particular aspect of the invention, the central policy server receives a status of the transfer of the configuration changes from the affected edge devices. If the status indicates a successful transfer, the log of changes is deleted from the central database.